Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn.An account on Cisco.com is not required.

•You must use the Per-interface NetFlow feature in conjunction with the NetFlow Accounting for Unicast and Multicast on GRE Tunnel Interfaces feature.

•The instructions for configuring IPv4 unicast routing are not included in this document. If you want to configure NetFlow accounting for IPv4 unicast traffic on a GRE IP interface, your switch must already be configured for IPv4 unicast routing.

•The instructions for configuring IPv4 multicast routing are not included in this document. If you want to configure NetFlow accounting for IPv4 multicast traffic on a GRE IP interface, your switch must already be configured for IPv4 multicast routing.

Information About NetFlow Accounting for Unicast and Multicast on GRE IP Tunnel Interfaces

GRE Tunneling

Generic routing encapsulation (GRE) tunneling is defined in RFC 2784. GRE is a carrier protocol that can be used with a variety of underlying transport protocols and that can carry a variety of passenger protocols. RFC 2784 also covers the use of GRE with IPv4 as the transport protocol and the passenger protocol. For more information on GRE tunnels, see the Cisco IOS Interface and Hardware Component Configuration Guide. Figure 1 is an example of a typical implementation of a GRE IP tunnel.

Figure 1 Sample Network with a GRE IPv4 Tunnel

GRE Tunnel Keepalive

Keepalive packets can be configured to be sent over IP-encapsulated GRE tunnels. You can specify the rate at which keepalives will be sent and the number of times that a device will continue to send keepalive packets without a response before the interface becomes inactive. GRE keepalive packets may be sent from both sides of a tunnel or from just one side.

Tunnel Interfaces

A tunnel interface is used to pass protocol traffic across a network that does not normally support the protocol. To build a tunnel requires defining a tunnel interface on each of two routers. The tunnel interfaces must reference each other. At each router, the tunnel interface must be configured with a Layer 3 address. The tunnel endpoints, tunnel source, and tunnel destination must be defined, and the type of tunnel must be selected. Optional steps can be performed to customize the tunnel.

Remember to configure the router at each end of the tunnel. If only one side of a tunnel is configured, the tunnel interface may still come up and stay up (unless keepalive is configured), but packets going into the tunnel will be dropped.

In Cisco IOS Release 12.2(8)T and later releases, Cisco express forwarding (CEF) switching over multipoint GRE tunnels was introduced. Previously, only process switching was available for multipoint GRE tunnels.

NetFlow Accounting on GRE IP Tunnel Interfaces

To analyze traffic that is sent from c3825 to c3745 in Figure 1, NetFlow accounting is configured as shown in Table 1. The flows in the "Flows" column are shown in Figure 2 through Figure 5.

Table 1 Where to Configure NetFlow Accounting and Which NetFlow Commands to Configure

Encapsulation/
De-encapsulation

Router

Ingress Physical Interface

Ingress Tunnel Interface

Egress Physical Interface

Egress Tunnel Interface

Flows

Traffic Direction

Unicast over GRE (encap)

C650002

ip flow ingress on interface gigabit 3/1

No configuration

No configuration

ip flow egress on interface tunnel 0

Flow (1)

Flow (2)

C3825 to C3745

Unicast over GRE (decap)

C65003

ip flow ingress on interface gigabit 5/2

ip flow ingress on interface tunnel 0

No configuration

No configuration

Flow (1)

Flow (2)

C3825 to C3745

Multicast over GRE (encap)

C650002

ip flow ingress on interface gigabit 3/1

No configuration

ip flow egress on interface 6/2

ip flow egress on interface tunnel 0

Flow (1)

Flow (2)

Flow (3)

C3825 to 3C745

Multicast over GRE (decap)

C65003

ip flow ingress on interface gigabit 5/2

ip flow ingress on interface tunnel 0

ip flow egress on interface 1/1

No configuration

Flow (1)

Flow (2)

Flow (3)

C3825 to C3745

When you configure NetFlow accounting for IPv4 unicast traffic on a GRE tunnel interface, the traffic that is encapsulated or de-encapsulated on the router results in the creation of two flows. See Figure 2 and Figure 3. When you configure NetFlow accounting for IPv4 multicast traffic on a GRE tunnel interface, the traffic that is encapsulated or de-encapsulated on the router results in the creation of three flows. See Figure 4 and Figure 5. The increase in the number of flows created results in an increase in the usage of the hardware NetFlow table. You must monitor the hardware NetFlow table on your router to ensure that it is not oversubscribed.

If you are using NetFlow data export, the number of exported flows is also increased. Flows from the hardware table are converted to the Version 9 export format and then exported. Because the number of flows is doubled when you configure NetFlow Data Export, twice as much memory is required to convert the flows to Version 9 export format and then export them.

Adding the GRE tunnel header and trailer to the beginning and end respectively, of the packet being transmitted over the GRE tunnel.

de-encapsulation

Removing the GRE tunnel header and trailer from the beginning and end respectively, of the packet being received from the GRE tunnel.

ingress

The inbound path of traffic. For example, the ingress interface is the interface over which traffic is received.

egress

The outbound path of traffic. For example, the egress interface is the interface over which traffic is transmitted.

ID

Destination IP address.

IS

Source IP address.

TD

Destination IP address for the tunnel interface.

TS

Source IP address for the tunnel interface.

MD

Multicast destination IP address.

MS

Multicast source IP address.

payload

The packet data.

Figure 2 shows the packet encapsulation process for unicast IPv4 traffic that is received on interface Gigabit Ethernet 3/1 on c65002 in Figure 1. The first flow is the result of NetFlow accounting for the traffic after it is received on physical interface 3/1 (ingress NetFlow). The second flow is the result of NetFlow accounting for the traffic as it is being transmitted on the GRE tunnel interface T0 (egress NetFlow).

Figure 3 shows the packet de-encapsulation process for unicast IPv4 traffic that is received on interface Gigabit Ethernet 3/1 on c65002 in Figure 1. The first flow is the result of NetFlow accounting for the traffic after it is received on the physical interface 5/2 (ingress NetFlow). The second flow is the result of NetFlow accounting for the traffic as it is being received and de-encapsulated on the tunnel interface T0 (ingress NetFlow).

During de-encapsulation, only ingress features of the tunnel are applied on the packets, and during encapsulation, only egress features of the tunnel are applied.

Multicast replication can happen in either ingress or egress mode. GRE encapsulation of multicast flows is done on the line card on which the ingress physical interface resides, irrespective of the ingress or egress replication mode. So in the case of both ingress and egress multicast replication modes, egress flows are created on the ingress line card.

The examples in Figure 4 and Figure 5 show how and why multiple flows are created during GRE handling of packets. In Figure 4, Flow 1 is created when packets are received by physical interface 3/1. Flows 2 and 3 are created as part the multicast replication process using the internal virtual local area networks (VLANs) that are required for NetFlow accounting to keep track of the multicast traffic.

In Figure 5, Flow 1 is created when packets are received over physical interface 5/2. Flow 2 is created as part of the de-encapsulation process. Flow 3 is created as the multicast traffic is replicated and forwarded on interface 1/1.

Configuring a GRE IP Tunnel

Prerequisites

Ensure that the physical interface to be used as the tunnel source in this task is up and configured with the appropriate IP address. For hardware technical descriptions and information about installing interfaces, see the hardware installation and configuration documentation for your product.

Restrictions

GRE tunnel keepalive is not supported in cases where virtual route forwarding (VRF) is applied to a GRE tunnel.

SUMMARY STEPS

1. enable

2. configureterminal

3. interfacetype number

4. bandwidthkbps

5. ip addressaddressmask

6. keepalive [period [retries]]

7. tunnel source {ip-address| interface-type interface-number}

8. tunnel destination {hostname| ip-address}

9. tunnel key key-number

10. tunnel mode gre ip

11. ip mtu bytes

12. ip tcp mss mss-value

13. tunnel path-mtu-discovery [age-timer{aging-mins| infinite}]

14. end

15. Repeat steps 1 through 14 on the router that hosts the other end of the GRE tunnel

DETAILED STEPS

Command or Action

Purpose

Step 1

enable

Example:

Router> enable

Enables privileged EXEC mode.

•Enter your password if prompted.

Step 2

configureterminal

Example:

Router# configure terminal

Enters global configuration mode.

Step 3

interfacetype number

Example:

Router(config)# interface tunnel 0

Specifies the interface type and number and enters interface configuration mode.

•To configure a tunnel, use tunnel for the type argument.

Step 4

bandwidthkbps

Example:

Router(config-if)# bandwidth 1000

Sets the current bandwidth value for an interface and communicates it to higher-level protocols. Specifies the tunnel bandwidth to be used to transmit packets.

•Use the kbps argument to set the bandwidth, in kilobits per second (kbps).

Note This is a routing parameter only; it does not affect the physical interface. The default bandwidth setting on a tunnel interface is 9.6 kbps. You should set the bandwidth on a tunnel to an appropriate value.

Step 5

ip addressaddress mask

Example:

Router(config-if)# ip address 192.168.3.1 255.255.255.0

Specifies an IP address for the interface.

Step 6

keepalive [period [retries]]

Example:

Router(config-if)# keepalive 3 7

(Optional) Specifies the number of times that the device will continue to send keepalive packets without response before bringing the tunnel interface protocol down.

•GRE keepalive packets may be configured either on only one side of the tunnel or on both.

•If GRE keepalive is configured on both sides of the tunnel, the period and retries arguments can be different at each side of the link.

Note This command is supported only on GRE point-to-point tunnels.

Note The GRE tunnel keepalive feature should not be configured on a VRF tunnel. This combination of features is not supported.

Step 7

tunnel source {ip-address | interface-type interface-number}

Example:

Router(config-if)# tunnel source GigabitEthernet6/2

Configures the tunnel source.

•Use the ip-address argument to specify the source IP address.

•Use the interface-type and interface-number arguments to specify the interface to use.

Note The tunnel source and destination IP addresses must be defined on two separate devices.

Step 8

tunnel destination {hostname | ip-address}

Example:

Router(config-if)# tunnel destination 10.5.9.62

Configures the tunnel destination.

•Use the hostname argument to specify the name of the host destination.

•Use the ip-address argument to specify the IP address of the host destination.

Note The tunnel source and destination IP addresses must be defined on two separate devices.

Step 9

tunnel key key-number

Example:

Router(config-if)# tunnel key 1000

(Optional) Enables an ID key for a tunnel interface.

•Use the key-number argument to identify a tunnel key that is carried in each packet.

•Tunnel ID keys can be used as a form of weak security to prevent improper configuration or injection of packets from a foreign source.

Note This command is supported only on GRE tunnel interfaces. We do not recommend relying on this key for security purposes.

Step 10

tunnel mode gre ip

Example:

Router(config-if)# tunnel mode gre ip

Specifies GRE IP as the encapsulation protocol to be used in the tunnel.

Step 11

ip mtu bytes

Example:

Router(config-if)# ip mtu 1400

(Optional) Set the maximum transmission unit (MTU) size of IP packets sent on an interface.

•If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it unless the don't fragment (DF) bit is set.

•All devices on a physical medium must have the same protocol MTU in order to operate.

Note If the tunnel path-mtu-discovery command is going to be enabled in Step 13, do not configure this command.

Step 12

ip tcp mss mss-value

Example:

Router(config-if)# ip tcp mss 250

(Optional) Specifies the maximum segment size (MSS) for TCP connections that originate or terminate on a router.

•Use the mss-value argument to specify the maximum segment size for TCP connections, in bytes.

Verifying NetFlow Accounting

SUMMARY STEPS

1. enable

2. show ip cache flow

3. show mls netip modulenumber

DETAILED STEPS

Step 1 enable

Enables privileged EXEC mode. Enter your password if prompted.

Router> enable

Step 2 show ip cache flow

The show ip cache flow command displays the NetFlow statistics in the cache. The tunnel interface (Tu0) appears in several rows of the statistics, indicating that NetFlow accounting is operational for the tunnel interface.

The show mls netip modnumber command displays information about the hardware-switched NetFlow flows. The tunnel interface (Tu0) appears in several rows of the statistics, indicating that NetFlow accounting is operational for the tunnel interface.

Caution Entering this command on a Cisco 12000 Series Internet Router causes packet forwarding to stop for a few seconds while NetFlow reloads the route processor and line card CEF tables. To avoid interruption of service to a live network, apply this command during a change window, or include it in the startup-config file to be executed during a router reboot.

Step 9

ip flow-export templaterefresh-ratepackets

Example:

Router(config)# ip flow-export template refresh-rate 15

(Optional) Enables the export of information in NetFlow cache entries.

•The template keyword specifies template-specific configurations.

•The refresh-rate packets keyword-argument pair specifies the number of packets exported before the templates are resent. Range is 1 to 600 packets. The default is 20 packets.

Step 10

ip flow-export templatetimeout-rateminutes

Example:

Router(config)# ip flow-export template timeout-rate 90

(Optional) Enables the export of information in NetFlow cache entries.

•The template keyword specifies that the timeout-rate keyword applies to the template.

•The timeout-rate minutes keyword-argument pair specifies the time elapsed before the templates are resent. You can specify from 1 to 3600 minutes. The default is 30 minutes.

Step 11

ip flow-export template options export-stats

Example:

Router(config)# ip flow-export template options export-stats

(Optional) Enables the export of information in NetFlow cache entries.

•The template keyword specifies template-specific configurations.

•The options keyword specifies template options.

•The export-stats keyword specifies that the export statistics include the total number of flows exported and the total number of packets exported.

Step 12

ip flow-export template options refresh-rate packets

Example:

Router(config)# ip flow-export template options refresh-rate 25

(Optional) Enables the export of information in NetFlow cache entries.

•The template keyword specifies template-specific configurations.

•The options keyword specifies template options.

•The refresh-rate packets keyword-argument pair specifies the number of packets exported before the templates are resent. Range is 1 to 600 packets. The default is 20 packets.

Step 13

ip flow-export template options timeout-rate minutes

Example:

Router(config)# ip flow-export template options timeout-rate 120

(Optional) Enables the export of information in NetFlow cache entries.

•The template keyword specifies template-specific configurations.

•The options keyword specifies template options.

•The timeout-rate minutes keyword-argument pair specifies the time elapsed before the templates are resent. Range is 1 to 3600 minutes. The default is 30 minutes.

Step 14

end

Example:

Router(config)# end

Exits the current configuration mode and returns to privileged EXEC mode.

Verifying That NetFlow Data Export Is Operational

To verify that NetFlow data export is operational, perform the following optional task.

SUMMARY STEPS

1. show ip flow export

2. show ip flow export template

DETAILED STEPS

Step 1 show ip flow export

Use this command to display the statistics for the NetFlow data export, including statistics for the main cache and for all other enabled caches. The following is sample output from this command:

Router# show ip flow export

Flow export v9 is enabled for main cache

Export source and destination details :

VRF ID : Default

Source(1) 10.4.9.62 (GigabitEthernet6/2)

Source(2) 10.4.9.62 (GigabitEthernet6/2)

Destination(1) 172.16.10.2 (99)

Destination(2) 172.16.10.3 (99)

Version 9 flow records

11 flows exported in 11 udp datagrams

0 flows failed due to lack of export packet

0 export packets were sent up to process level

0 export packets were dropped due to no fib

0 export packets were dropped due to adjacency issues

0 export packets were dropped due to fragmentation failures

0 export packets were dropped due to encapsulation fixup failures

0 export packets were dropped enqueuing for the RP

0 export packets were dropped due to IPC rate limiting

0 export packets were dropped due to Card not being able to export

Step 2 show ip flow export template

Use this command to display the statistics for the NetFlow data export (such as the template timeout rate and the refresh rate) for the template-specific configurations. The following is sample output from this command:

Router# show ip flow export template

Template Options Flag = 1

Total number of Templates added = 1

Total active Templates = 1

Flow Templates active = 0

Flow Templates added = 0

Option Templates active = 1

Option Templates added = 1

Template ager polls = 0

Option Template ager polls = 388

Main cache version 9 export is enabled

Template export information

Template timeout = 90

Template refresh rate = 15

Option export information

Option timeout = 120

Option refresh rate = 25

Configuration Examples for NetFlow Accounting for Unicast and Multicast on GRE Tunnel Interfaces

The following example shows you how to configure data export for NetFlow:

Standards

MIBs

RFCs

Technical Assistance

Description

Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

Table 3 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(1) or 12.0(3)S or a later release appear in the table.

Not all commands may be available in your Cisco IOS software release. For details on when support for a specific command was introduced, see the command reference documentation.

Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform. Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Note Table 3 lists only the Cisco IOS software release that introduced support for a given feature in a given Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS software release train also support that feature.

Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.